
Summary
This detection rule is aimed at identifying potentially suspicious activities involving the installation of drivers using the `odbcconf.exe` binary on Windows systems. The specific detection method focuses on the execution of `odbcconf.exe` with the `INSTALLDRIVER` command-line argument, where the specified driver does not have a `.dll` extension. This behavior is often indicative of an attempt to evade defenses as legitimate drivers typically are DLL files. By detecting instances where driver installations deviate from this norm, security teams can respond to potential threats more effectively. The rule uses a combination of selection criteria on both the command line arguments specified and the properties of the binary executed to ascertain the legitimacy of the process.
Categories
- Endpoint
Data Sources
- Process
Created: 2023-05-23